[ previous ] [ next ] [ threads ]
 
 From:  "David Burgess" <apt dot get at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] multiple subnets on single LAN interface?
 Date:  Wed, 7 Mar 2007 12:59:21 -0700
Solution posted below.

On 3/7/07, David Burgess <apt dot get at gmail dot com> wrote:
> I appreciate the detailed responses I've had on this topic. I feel
> like I'm getting close to a solution here.
>
> On 3/7/07, Marc A. Runkel <mrunkel at skyriver dot net> wrote:
> > Hey David,
> >
> > If I understand this right, all your clients and your servers/equipment are connected in the
same broadcast domain, but are separated by logical IP addressing?  Ie, the devices are plugged into
the same switch, but have different IP ranges?
>
> Correct.
>
> > First, it must be a very interesting story about why this came about, but we'll leave that for a
different day.
>
> Since it's probably quite relevant to the present discussion, I'll
> elaborate a bit on that. We are a wireless ISP. We have no publicly
> accessible servers on the network, but each client has a radio or "SM"
> which is essentially a wireless bridge. This SM has a configuration
> gui with a manual IP address, in our case on the 172.16/16 network. We
> don't want the client to access it, but we need to be able to access
> it.
>
> We also have a number of access points and backhauls (a pair of radios
> linking one AP tower to the next).
>
> We have 200+ customers, each with a computer or router on the 10.0/16
> network using monowall's 10.0.0.1 LAN as gateway.
>
> Therefore we have 200+ SMs plus a handful of APs, BHs, and other
> sundry control equipment all on 172.16/16. These are physically
> intermingled with the 10.0/16 machines, of necessity.
>
> Here's a simplified ASCII diagram of our network for fun and information:
>
> customer1 - SM           customer3 - SM
>                         \                              \
>                         AP - BH ---------- BH - AP - BH ------- BH -
> monowall - internet
>                         /                              /
> customer2 - SM          customer4 - SM
>
> > Second, one solution is to... change your DHCP server settings overnight...
>
> Obviously our 172.16 equipment is password protected, nevertheless we
> prefer to maintain it on a separate subnet if possible. Out of sight,
> out of mind.
>
> > If you really want to maintain your existing IP numbering scheme, you need to add a secondary IP
to the monowall interface. NO way to do this through the GUI though.  You'd have to do it with the
/exec.php page.
>
> I'm all for that. I'll keep searching the archives for a way to do
> that, but any pointers would be appreciated.
>
> > Or, if you have an extra interface in your monowall, plug it into the same switch and give it
the server's IP range.  Just turn on advanced NAT.
>
> This looks like the immediate solution, just adding a third NIC,
> plugging it into the LAN switch and naming it 172.16.0.1/16.
>
> >Lacking an extra interface, you can also setup VLANs (if your
> switches support that feature) and route between the virtual
> interfaces.
>
> This solution appeals to me, but doesn't that require having the
> 172.16 machine on a physically separate switch port from the 10.0
> machine? That would be impossible in this case, as each 10.0 client
> connects to monowall through the 172.16 equipment.
>
> > The monowall (any router) needs to "know" about the equipment's IP network and it needs to know
how to get there.  Note that in any setup where the router gets involved, you are creating a
bottleneck at the router, both in it's CPU's ability to switch the packets and on the total
bandwidth of the router interface.
>
> As an ISP, we have virtually no intranet traffic. Any traffic passed
> from the router's 10.0 interface to its 172.16 interface will be
> occasional and minimal.
>
> As the internet gateway, the monowall is a natural bottleneck and has
> been designed with the resulting bandwidth and cpu loads in mind.
>
> > Lastly, 300+ devices is a lot for any Ethernet subnet.  You might want to plug ethereal into
your network and take a look at your broadcast traffic...
>
> Perhaps you're right, although I suspect that our broadcast traffic is
> relatively minimal. Could be an illuminating exercise though.
>
> db
>
> > m.
> > -----Original Message-----
> > From: David Burgess [mailto:apt dot get at gmail dot com]
> > Sent: Tuesday, March 06, 2007 3:24 PM
> > To: m0n0wall at lists dot m0n0 dot ch
> > Subject: Re: [m0n0wall] multiple subnets on single LAN interface?
> >
> > On 3/6/07, krt <kkrrtt at gmail dot com> wrote:
> > > Short Answer: No
> > >
> > > Long Answer:
> > > You have to route your packets if you do not participate in those
> > > subnets with a local interface.
> >
> > By "route your packets" are you referring to routing table
> > modifications on my client machine? Or routing table modifications to
> > the m0n0wall? Because the latter is kind of where I was trying to go,
> > and without success.
> >
> > > Why not run the DHCP server with a range of IP addresses from the
> > > 172.16.0.0/16 that you've reserved as the "DHCP RANGE" and that you will
> > > not and do not have current static assignments in?
> >
> > This is an option, but it means lots and lots of people not having
> > internet access until they renew their dhcp lease, which in many cases
> > would mean a week up to a month without internet. And no, most of
> > these people aren't savvy enough to try that on their own, and no, I
> > won't be fielding all the angry phone calls. So basically it's not a
> > very practical option for us.
> >
> > So is there a really long answer that wasn't included in the first
> > response? I'm not averse to reading up if there's a way to do this.
> > I'm just not finding anything really relevant in my searches so far.
> >
> > For what it's worth, here's an interesting excerpt from m0n0wall's
> > System:Advanced page:
> >
> > "Bypass firewall rules for traffic on the same interface
> > This option only applies if you have defined one or more static
> > routes. If it is enabled, traffic that enters and leaves through the
> > same interface will not be checked by the firewall..."
> >
> > Am I wrong in inferring that if traffic enters an interface,
> > potentially passes through the firewall, then leaves the same
> > interface, then said traffic must have differing source and
> > destination subnets, which is basically what I'm trying to implement.
> > Am I misinterpreting the function of a static route here?
> >
> > db
> >
> >
> > > David Burgess wrote:
> > > > I'm not sure if I'm going down a blind alley here, but it seems to me
> > > > there must be a way to access a subnet other than one's own without
> > > > crossing the firewall. Here's my m0n0wall's basic setup:
> > > >
> > > > WAN: static public IP address
> > > > LAN: 10.0.0.1/16, running dhcpd
> > > >
> > > > Our clients all get IPs from the LAN dhcpd.
> > > > Meanwhile, our equipment all have static IP addresses on the subnet
> > > > 172.16.0.0/16. Currently, to connect with a piece of equipment one
> > > > must change one's IP address manually to the 172.16/16 subnet. Is
> > > > there not a way using static routes to maintain one's 10/16 address
> > > > and have the m0n0wall redirect 172.16/16 requests to the appropriate
> > > > equipment on the LAN? I tried adding a static route thus:
> > > >
> > > > 172.16             172.16.0.1         UGS         0      126    [LAN]
> > > >
> > > > but no dice. I tried a similar entry, using 10.0.0.1 as the gateway,
> > > > but nothing still. Is this possible? Can somebody point me to a
> > > > resource if it's not a simple fix? Please don't tell me to change my
> > > > equipment to the 10/16 subnet, as we're talking about ~300 items here.
> > > > I'll consider that a last resort, along with manually changing my IP
> > > > to the 172.16/16 every time I want to have a look.
> > > >
> > > > Thanks,
> > > > db

Thanks for everybody's input. It turns out it's pretty simple to add
an IP alias to the LAN, although I never did find it in the list
archives. I'll reiterate the many expressed sentiments I did find on
the topic, ie, it's a bad idea, insecure, in most cases there's
probably a better solution, etc.

In some cases however, you may just want to add an alias to your LAN
interface, and for future reference, this is accomplished by executing
the following line in exec.php:

ifconfig nve0 inet 172.16.0.1 netmask 255.255.0.0 alias

You'll then need to put a corresponding line into the config.xml file
to preserve the alias across reboots.

db